CVE-2 0 1 5-3 7 9 5-vulnerability warning-the black bar safety net

2016-01-16T00:00:00
ID MYHACK58:62201671060
Type myhack58
Reporter 佚名
Modified 2016-01-16T00:00:00

Description

0x01 mach_shark In the previous article I have already several times mentioned mach_shark it. The tool one uses is that you can make a small c stub function, c-stub, the stub allows you to playback the mach message. As the article mentioned, based on MACH IPC with a state of concept. Although by mach_shark generated c stub function that is not implemented with any process of interaction of all state control. But it still provides a starting point for the smallest fuzz on. I can send a message to the kernel or bootstrap/launchd it. So now what can be done? Find I could find the most complicated message, to start the most simple fuzzer is. Attack surface looks like the biggest area is the open command. In particular I'm interested in how the default browser does not open the case, by the correct user data, run a LIKE open http://wuntee.sexy 的 命令 来 打开 浏览器 and let it point to the URL. By mach_shark run the open command, Review 3 0 0 A of the IPC request, which one looks like a good entry point. A very large and complex XPC message, look also contains some objective-c class name. ! 0x02 fuzzing and crashing The above-mentioned c stub function of the output is very simple, but it builds the correct MACH message, and the right to extract the original message you want to connect to the communication port. A sample output is as follows: kern_return_t ret=task_get_bootstrap_port(mach_task_self(),&bp); ret=bootstrap_look_up(bp,"com. apple. CoreServices. coreservicesd",&port); Unsignedchar payload[]={...}; mach_msg_header_t msg=(mach_msg_header_t)payload; msg->msgh_remote_port=port; msg->msgh_local_port=MACH_PORT_NULL; msg->msgh_bits=MACH_MSGH_BITS_ZERO; msg->msgh_bits=MACH_MSGH_BITS_SET_PORTS(MACH_MSG_TYPE_COPY_SEND,MACH_MSG_TYPE_MAKE_SEND_ONCE,MACH_MSG_TYPE_COPY_SEND); mach_msg_return_t msg_ret=mach_msg_send(msg); By from the open command to get the payload, I began to a simple byte mutation fuzzer is. But to send a message directly to the bootstrap and / launchd it. Have a fuzzer running up it makes me so excited, I let it direct on my local host to run on. I'll continue to research other MACH payload, let the fuzzer in the background to run. After a few minutes, my machine rebooted because of a problem。 I was the brain is only one sentence, no more than that simple method. No.. Cause my machine to restart reason details and finally I was how to debug the crash of a process can be in Debugging launchd on OSX 10.10.3 in an article found. 0x03 xpc serialization/deserialization Then the fuzzer into the VM inside to analyze what just happened crash to the root cause. I can determine the crash is in the XPC deserialization program calls strlen. This looks a bit strange. So I started an in-depth XPC message structure. To this end, I created a seen of the service to accept the XPC message and a simple client program, to send any message. While I use mach_shark tool to grab the message and record a different payload structure. I grab the XPC payload basic structure is as follows: [xpc_message_header][xpc_type_$X_1]...[xpc_type_$X_n] Wherein the head structure: typedef struct attribute((packed)) { u_int32_t magic; // "! CPX" u_int32_t version; // "x05\x00\x00\x00" u_int32_t type; u_int32_t size; // From the end of this on u_int32_t num_entries; } xpc_message_header; Behind the xpc_type_$X structure: typedef struct attribute((packed)) { char key[]; // null terminated u_int32_t type; u_int32_t size; // From the end of this on u_int32_t num_entries; unsigned char payload[]; } xpc_type_complex;

typedef struct attribute((packed)) { char key[]; // null terminated u_int32_t type; u_int32_t len; char str_or_data[]; } xpc_type_string_or_data;

typedef struct attribute((packed)) { char key[]; // null terminated u_int32_t type; u_int64_t value; // Can be uint64, int64, uuid, double } xpc_type_value;

typedef struct attribute((packed)) { char key[]; // null terminated u_int32_t type; // Used for external data type like file descriptors and port rights } xpc_type_novalue; As an example: mach message data: 2 1 4 3 5 0 5 8 0 5 0 0 0 0 0 0 0 0 f0 0 0 0 0 4 8 0 0 0 0 0 0 ! CPX........ H... 0 2 0 0 0 0 0 0 6 2 6f 6f 6c 5f 7 6 6 1 6c 7 5 6 5 5f 7 4.... bool_value_t 7 2 7 5 6 5 0 0 0 0 2 0 0 0 0 0 0 1 0 0 0 0 0 0 7 3 7 4 7 2 6 9 rue........ stri 6e 6 7 5f 7 6 6 1 6c 7 5 6 5 0 0 0 0 0 0 0 0 0 0 9 0 0 0 0 0 ng_value........ 1 1 0 0 0 0 0 0 7 4 6 8 6 9 7 3 2 0 6 9 7 3 2 0 6 1 2 0 7 3 7 4 .... this is a st 7 2 6 9 6e 6 7 0 0 0 0 0 0 0 0 ring....

2 1 4 3 5 0 5 8: Magic "! CPX" 0 5 0 0 0 0 0 0: Version 5 0 0 f0 0 0 0 0: Type 'dictionary' 4 8 0 0 0 0 0 0: Size 7 2 0 2 0 0 0 0 0 0: 2 Entries 6 2 6f 6f 6c 5f 7 6 6 1 6c 7 5 6 5 5f 7 4 7 2 7 5 6 5 0 0 0 0: Key 'bool_value_true' null terminated / padded 0 0 2 0 0 0 0 0: Type 'boolean' 0 1 0 0 0 0 0 0: Value 'true' 7 3 7 4 7 2 6 9 6e 6 7 5f 7 6 6 1 6c 7 5 6 5 0 0 0 0 0 0 0 0: Key 'string_value' null terminated / padded

[1] [2] [3] next